MP pitches Denial of Service law to Parliament

'Treat these attacks with the seriousness they deserve'

Derek Wyatt MP, Chairman of the All Party Parliamentary Internet Group (APIG), will try to persuade Parliament next month that the country's 15-year-old Computer Misuse Act needs updating, to increase penalties for hackers and to criminalise denial of service attacks.

The Labour MP for Sittingbourne and Sheppey said today that his Ten Minute Rule Bill – a type of bill offering a back bench MP just 10 minutes to pitch legislation to the House of Commons – is scheduled for a hearing on 5 April.

Wyatt's bill picks up on two main recommendations in last summer's APIG report on the 1990 Act: to add a specific Denial of Service (DoS) offence; and to increase the sentence for hacking – where no manipulation of data or further crime takes place – from six months to two years. Aggravated hacking offences would still carry up to five years in prison.

A DoS attack involves flooding a server with data – sometimes just thousands of emails – to the point where it collapses. More advanced attacks are launched from several machines – known as Distributed DoS, or DDoS attacks.

The consensus is that the Computer Misuse Act probably covers some DDoS attacks, because third party computers are compromised without permission. Whether a plain-vanilla DoS attack is covered is a moot point. The relevant wording in the current Act is that it's an offence to cause "an unauthorised modification of the contents of any computer". Some say a DoS attack amounts to a "modification"; others disagree.

APIG, which exists to provide a discussion forum between new media industries and parliamentarians, wants to remove the ambiguity. It also wants to send a clear signal to the police, Crown Prosecution Service and the courts that DoS attacks should be taken seriously. And it hopes that publicity about the new offence will deter potential attackers by making it explicit that their actions are clearly criminal.

This is the second attempt to tack a DoS extension onto the Computer Misuse Act. The first was a Private Member's Bill introduced by the Earl of Northesk in 2002; but like most Private Members' Bills, it failed. And Derek Wyatt has no illusions about his Ten Minute Rule bill becoming an Act in the short term.

Due to the brevity of the pitch, the Ten Minute Rule bill is a process generally used as a means of making a point on the need to change a law. It's also an opportunity to gauge Parliamentary opinion. Notice of the bill is circulated and one opposing motion is allowed in the House.

Wyatt explained: "The All Party Group was hoping that an MP would have picked this up as part of the Private Members’ allocation for bills but sadly no-one did so it seemed sensible given the work we undertook last year to at least place on record what we think the Bill should look like in the hope that the Government will come back to it after the General Election”

His Computer Misuse Act 1990 (Amendment) Bill says it would be an offence to do something without authority which causes or which is intended to cause "directly or indirectly, an impairment of access to any program or data held in any computer".

'Seriousness they deserve'

This much is similar to the Earl of Northesk's bill of the same name. But that version went no further, and was criticised for being too wide. Wyatt's version specifies that there must be "intent to damage the performance of an activity for which the relevant computer, or any program or data held on that computer, is used."

Wyatt's bill also suggests a maximum sentence of two years for a basic DoS or DDoS attack. The Earl of Northersk's would have applied the Act's maximum sentence of five years. But with Wyatt's bill, where there is intent to commit further offences, the penalty would be five years. This might apply to those who launch attacks and try to blackmail the victim with the threat of further attacks.

Richard Allan MP, Liberal Democrat spokesman for IT, and Vice Chairman of APIG said: "This reform is necessary if we are to treat these attacks with the seriousness which they deserve."

The Computer Misuse Act has been used in a jury trial over a DDoS attack. But it has only happened once. Dorset teenager Aaron Caffrey was acquitted in 2003, after convincing a jury that he was not responsible for the attack that hit the computer systems of the Port of Houston in Texas. Aaron Caffrey gives his first interview in the latest edition of OUT-LAW Magazine, out next week. Caffrey says that the Act should be scrapped, not amended.

The UK's second high profile DoS case may take place later this year: In January, Matthew Anderson appeared in Elgin Sheriff Court, Scotland, facing charges under the Act. He is accused of carrying out DoS attacks as part of an extortion plot that targeted companies in Scotland and the US. But it is early days in that case: there is no guarantee that it will go to trial.

Scotland also has a common law offence of "malicious mischief" that could possibly be used to prosecute DoS attacks. Wyatt's bill excludes Scotland, but not because of this extra law. The most likely reason is that, while the Computer Misuse Act applies to Scotland, changes to it now fall within the devolved powers of the Scottish Parliament.

Jon Fell, a partner with Pinsent Masons, the law firm behind OUT-LAW.COM, said of the new bill: "It's disappointing that APIG's recommendations never made Parliament's agenda, despite assurances from the Home Office at the time that they would be given full consideration. The aim of today's bill is laudable: we need clarity on how the law treats DoS attacks. But the biggest problem is not the lack of laws to deal with computer crime. The biggest problem is catching the criminals."